Luke, I believe this is what you're trying to achieve:
+--------+ +---------------+
| |--(A)- Authorization Request ->| Resource |
| | | Owner |
| |<-(B)-- Authorization Grant ---| |
| | +---------------+
| |
| | +---------------+
| |--(C)-- Authorization Grant -->| Authorization |
| Client | | Server |
| |<-(D)----- Access Token -------| |
| | +---------------+
| |
| | +---------------+
| |--(E)----- Access Token ------>| Resource |
| | | Server |
| |<-(F)--- Protected Resource ---| |
+--------+ +---------------+
Taken from:
If yes, I believe Sebi's examples cover your scenario.
(I didn't have the chance to try Sebi's example)
On 2016-04-29, Luke Holmquist wrote:
On Fri, Apr 29, 2016 at 2:23 PM, Sebastien Blanc
<sblanc(a)redhat.com> wrote:
> Hi Luke !
>
>
> I might be wrong but I think I have the exact demo working of what you
> describe :
>
> 1. the standalone webapp client :
>
https://github.com/sebastienblanc/devoxxfr/tree/master/angular-client ,
> you can run it with "grunt serve"
> 2. the nodejs service :
>
https://github.com/sebastienblanc/devoxxfr/tree/master/nodejs-service ,
> run it with "npm start"
> 3. external keycloak server running
>
>
> I did not need to define any confidential client, the trick is to use
> "bearer-only" for the nodejs service, take a look at my sample realm :
>
https://github.com/sebastienblanc/devoxxfr/blob/master/devoxxrealm.json
>
> i also see another realm file inside the nodejs-service directory, is
that for something else. looks like it would be if you were "logging in"
to the node server
> And sorry if I was completly aside what you meant.
>
> Sebi
>
>
> On Fri, Apr 29, 2016 at 7:09 PM, Luke Holmquist <lholmqui(a)redhat.com>
> wrote:
>
>> I have a use case, that i think could be pretty common, but i'm not
>> entirely sure how to setup it up.
>>
>> The following is a little bit of a thought dump, so pardon me if i ramble
>> a little bit.
>>
>>
>> There are i think 3 components involved here:
>>
>> 1. a pure HTML/JS web app
>>
>> 2. A node.js REST API server
>>
>> 3. Keycloak server
>>
>>
>> The app in this case, would not be served by the node server or the KC
>> server(wildfly), but with something like nginx(or even something like
>> 'python simpleHTTPServer')
>>
>> Basically the flow would be something like this[1]:
>>
>> The web app, using the js adapter, authenticates against the KC server.
>>
>> Now the web app would like to call the node API server(a restricted
>> endpoint) to get some data
>>
>> The web app probably adds the token stuff that it got from KC during it;s
>> login to the request to the node server
>>
>> ***This next part is where i'm getting a little confused, i'm aware
that
>> code to do this might not be written yet****
>>
>> I'm thinking the node server takes the token from the web app request,
>> and would hit an endpoint on the KC server to make sure that token is
>> valid.
>>
>> If things go ok, then node server returns the data.
>>
>> I've seen the recent post on doing token introspection and abstracj was
>> nice enough to make that into a gist,
>>
https://gist.github.com/abstractj/4cd2231a472069d8b6f63b4008c74061
>>
>> but this would also mean the web client access_type would need to be
>> confidential(which i don't think is secure for a web app) to make a service
>> account that the node server could use to do the token introspection.
>>
>> I was thinking of maybe creating a client also for the node server, but
>> is it possible for 1 client to lookup/validate tokens from another client.
>>
>>
>> Perhaps i'm thinking about this all wrong too, which is very possible.
>>
>> In this example there is only 1 node api server, but there could be
>> multiple node/go/rust/<insert cool kid tech here> servers too
>>
>>
>>
>> Any guidance would be appreciated and sorry for the ramble
>>
>> -Luke
>>
>>
>>
>>
>>
>>
>> [1]
>>
https://docs.google.com/drawings/d/1BngijxAV2j0rjz18P0XcXeY9CClCg1mwQhROY...
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev